CVE-2026-32238
Published: 19 March 2026
Summary
CVE-2026-32238 is a critical-severity OS Command Injection (CWE-78) vulnerability in Open-Emr Openemr. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly enforces input validation on backup functionality inputs to prevent command injection exploitation.
SI-2 ensures timely flaw remediation by patching OpenEMR to version 8.0.0.2, which fixes the command injection vulnerability.
AC-6 enforces least privilege to limit high-privilege access to the vulnerable backup feature, reducing the attack surface for authenticated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in web application backup feature enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to…
more
insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.
Deeper analysisAI
CVE-2026-32238 is a command injection vulnerability (CWE-78) affecting OpenEMR, a free and open source electronic health records and medical practice management application. The flaw resides in the backup functionality due to insufficient input validation and impacts all versions prior to 8.0.0.2. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and high privileges required.
Authenticated attackers with high privileges can exploit this vulnerability remotely by injecting malicious commands through the backup feature. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, with a changed scope that potentially affects additional resources beyond the vulnerable component.
The official GitHub security advisory (GHSA-6pmc-3xm7-pm86) and the fixing commit (7bc7bd077a624e205daed17658de41af6070ef73) confirm that upgrading to OpenEMR version 8.0.0.2 resolves the issue through improved input validation in the backup functionality. No additional mitigations are specified in the provided references.
Details
- CWE(s)